package com.hsc.www.memory;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;

@Configuration
@EnableAuthorizationServer
public class MyAuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
    @Autowired
    AuthenticationManager authenticationManager;


    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        //添加客户端信息,这配置了两个客户端
        clients.inMemory()                  // 使用in-memory存储客户端信息
                .withClient("client1")       //  客户端ID
                .secret("{noop}secret1")                   //  客户端secret
                .authorizedGrantTypes("authorization_code", "password", "refresh_token")     // 该client允许的授权类型
                .scopes("user")                      // 允许的授权范围
                .redirectUris("http://www.baidu.com")       //配置默认的重定向url
                .and()
                .withClient("client2")              //  客户端ID
                .secret("{noop}secret2")                     //  客户端secret
                .authorizedGrantTypes("authorization_code", "password", "refresh_token")     // 该client允许的授权类型
                .scopes("user")                      // 允许的授权范围
                .redirectUris("http://www.baidu.com")       //配置默认的重定向url
        ;
        // secret密码配置从 Spring Security 5.0开始必须以 {加密方式}+加密后的密码 这种格式填写
        /*
         *   当前版本5新增支持加密方式：
         *   bcrypt - BCryptPasswordEncoder (Also used for encoding)
         *   ldap - LdapShaPasswordEncoder
         *   MD4 - Md4PasswordEncoder
         *   MD5 - new MessageDigestPasswordEncoder("MD5")
         *   noop - NoOpPasswordEncoder //不加密
         *   pbkdf2 - Pbkdf2PasswordEncoder
         *   scrypt - SCryptPasswordEncoder
         *   SHA-1 - new MessageDigestPasswordEncoder("SHA-1")
         *   SHA-256 - new MessageDigestPasswordEncoder("SHA-256")
         *   sha256 - StandardPasswordEncoder
         */
    }


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        //如果认证服务器要支持 password 模式的认证方式，需要我们提供一个AuthenticationManager对象给认证服务器，用于对 username 和 password 的判断
        endpoints.authenticationManager(authenticationManager);
        super.configure(endpoints);
    }



    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        // oauth/check_token默认是denyAll,这里我们要开启
        //checkTokenAccess配置为permitAll()，表示调用 oauth/check_token时不要验证，
        //这里配置为isAuthenticated表示调用 oauth/check_token时要验证
        security.checkTokenAccess("isAuthenticated()");
        //允许所有资源服务器访问公钥端点（/oauth/token_key） jwt 方式才用到
        security.tokenKeyAccess("permitAll()");
    }
}